Enforce viewing permissions for search and keywords in the Wiki. Fixes bug #12027

docs/changelog/7.x.x.txt

@@ -3,6 +3,7 @@
  - fixed #11965: Friend Manager only shows 15 people
  - fixed #12023: International URLs of aattachments & files in folder
  - fixed #12024: Copied Collaboration System re-sends subscription mail
+ - fixed #12027: Wiki Search and Keyword security, pages visible to visitors when wiki is restricted.
 
 7.10.7
  - rfe #10521: Use monospaced font in template edit textarea

lib/WebGUI/Asset/Wobject/WikiMaster.pm

@@ -861,6 +861,8 @@ Return search results that match the keyword from the form variable C<keyword>.
 
 sub www_byKeyword {
     my $self    = shift;
+	my $check   = $self->checkView;
+	return $self->session->privilege->noAccess() unless $self->canView;
     my $session = $self->session;
     my $keyword = $session->form->process("keyword");
 
@@ -972,6 +974,8 @@ Render a search form and process the contents, returning the results.
 
 sub www_search {
 	my $self = shift;
+	my $check = $self->checkView;
+	return $self->session->privilege->noAccess() unless $self->canView;
 	my $i18n = WebGUI::International->new($self->session, "Asset_WikiMaster");
 	my $queryString = $self->session->form->process('query', 'text');
 	my $var = {

t/Asset/Wobject/WikiMaster.t

@@ -37,6 +37,7 @@ my $wiki
         topLevelKeywords => 'criminals,inmates,staff',
         url              => 'testwiki',
         title            => 'testwiki',
+        groupIdView      => '2',
     }, @childCoda );
 
 my $wikitag = WebGUI::VersionTag->getWorking( $session );
@@ -61,7 +62,7 @@ WebGUI::Test->addToCleanup($tag_set1);
 #----------------------------------------------------------------------------
 # Tests
 
-plan tests => 11;        # Increment this number for each test you create
+plan tests => 15;        # Increment this number for each test you create
 
 #----------------------------------------------------------------------------
 # 
@@ -257,4 +258,15 @@ cmp_deeply(
 
 $page_set{criminals}->update({keywords => 'red,andy,tommy'});
 
+$session->user({userId => 3});
+ok $wiki->canView(), 'checking permission handling in www_byKeyword: Admin can view the wiki';
+$wiki->www_byKeyword;
+is $session->http->getStatus, 201, '... HTTP status set to 201';
+
+$session->user({userId => 1});
+ok !$wiki->canView(), '... visitor cannot view the wiki';
+$wiki->www_byKeyword;
+is $session->http->getStatus, 401, '... HTTP status set to 401, no access';
+
+
 #vim:ft=perl

t/Asset/Wobject/WikiMaster/search.t

@@ -38,6 +38,7 @@ my $wiki
     = $import->addChild( {
         className        => 'WebGUI::Asset::Wobject::WikiMaster',
         searchTemplateId => $templateId,
+        groupIdView      => '2',
     } );
 
 WebGUI::Test->addToCleanup($wiki);
@@ -45,12 +46,14 @@ WebGUI::Test->addToCleanup($wiki);
 #----------------------------------------------------------------------------
 # Tests
 
-plan tests => 1;        # Increment this number for each test you create
+plan tests => 4;        # Increment this number for each test you create
 
 $session->request->setup_body({
     query => 'Red&Andy',
 });
 
+$session->user({userId => 3});
+
 {
     WebGUI::Test->mockAssetId($templateId, $templateMock);
     $wiki->www_search();
@@ -61,6 +64,15 @@ is $templateVars->{addPageUrl},
     $wiki->getUrl('func=add;class=WebGUI::Asset::WikiPage;title=Red%26Andy'),
     'search encodes unsafe characters in addPageUrl';
 
+$session->user({userId => 1});
+ok !$wiki->canView(), 'checking permission handling in www_search: visitor cannot view the wiki';
+
+$templateVars = {};
+
+$wiki->www_search;
+is_deeply $templateVars, {}, '... no template variables set';
+is $session->http->getStatus, 401, '... HTTP status set to 401, no access';
+
 #----------------------------------------------------------------------------
 #